[PATCH] Re: netlogon_creds_cli_validate() in master4-schannel
Andrew Bartlett
abartlet at samba.org
Wed Dec 18 15:25:05 MST 2013
On Wed, 2013-12-18 at 22:40 +0100, Stefan (metze) Metzmacher wrote:
> Hi Andrew,
>
> >>>>> Thanks! Are you able to do a wintest with this?
> >>>>>
> >>>>> I also want to do some tests with windows dcs.
> >>>>>
> >>>>> I important thing I want to verify is the behavior of
> >>>>>
> >>>>> invalidate_cm_connection(&domain->conn);
> >>>>> + domain->conn.netlogon_force_reauth = true;
> >>>>>
> >>>>> in _wbint_CheckMachineAccount() and related code.
> >>>>>
> >>>>> Testing against a s4 dc showed that we are doing
> >>>>> netr_ServerReqChallenge/netr_ServerAuthenticate3 over a connection
> >>>>> with DCERPC_AUTH_TYPE_SCHANNEL/DCERPC_AUTH_LEVEL_PRIVACY and I'm not
> >>>>> sure Windows also likes that.
> >>>>>
> >>>>> I think some combination of 'wbinfo -t' and 'wbinfo -c' triggered that.
> >>>>>
> >>>>> Günther can you also do some tests with your VMs?
> >>>> I'll get Garming to give this a test against some real Windows VMs, and
> >>>> yes, this is a very good excuse to get wintest running again.
> >>>>
> >>>> Andrew Bartlett
> >>>>
> >>>
> >>> It appears to work just fine on my end.
> >>
> >> Against what windows versions did you test?
> >
> > Garming tested with 2008R2.
> >
> >> I've tested today against a w2012 dc and found that it works.
> >>
> >> I just found one bug when using net rpc testjoin, which triggered
> >> a DCERPC_FAULT_SEC_PKG_ERROR.
> >> This commit should fix the problem for now:
> >> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=88d3b57a7f744c4be39668031717df146eba7e6d
> >> it's part of
> >> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-schannel-ok
> >> now.
> >>
> >> I've done some captures see
> >> https://www.samba.org/~metze/ads/caps/netlogon/v4-0-schannel/20131213/
> >>
> >> I'll try to do some more testing on monday.
>
> I've also tested with Windows 2008 and will do with nt4 and windows 2000
> and some samba versions.
>
> I have some updates in my
> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-schannel-ok
> branch.
>
> While testing with winbind sealed pipes = no, I noticed that we send the
> same Authenticator again and again to a dc that returns NOT_IMPLEMENTED
> to LogonGetCapabilities(). As this is the first request on each schannel
> connection,
> I think it's better to avoid this, as the session key is much more long
> living now.
>
> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=fa68a5814d7ad3fb48b22eaaad1bdb0ed2fc495c
> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=5df6c619f5670b71e04ab047a2d6f12073d376dc
> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=485ed1950affa3b9da0d78dc927c4185b2111e8c
>
> are the cleanup ups for this.
>
> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=23896aefe5f50ba977167a85b1b6189dd65d03f0
> got netlogon_creds_cli_open_global_db()
> which is used in
> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=82e902bad329a0734ab2b4c1436f53c440cca4ef
> which is used in
> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=46949116273667b65d7ac59f1d1a11ec9284f963
>
> This makes sure that the winbind parent opens the netlogon_creds_cli.tdb
> and it doesn't get cleared
> if a child was killed and a new one was started. This way we only do a
> ServerChallenge/ServerAuthenticate
> pair when winbindd is restarted or the dc gets restarted.
Great. Garming is setting up a new Wintest environment, but sadly we
haven't got that going yet. I'll look over the changed patches by eye
today.
Thank you very much for all of your hard work here.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list